Sure. The semantic layer is a second verification pass that runs independently of file integrity. Here's why SHA-256 alone isn't enough. An adversary can:

Remove job_snapshot from the artifact (stripping the core evidence of what actually ran) Recompute all SHA-256 hashes to match the modified files Rebuild the manifest

A hash-only verifier sees everything consistent and returns PASS. The attack succeeds silently. The semantic layer catches this. After the integrity check passes, it independently verifies:

job_snapshot is present (evidence of the actual computation, not just file hashes) payload.kind matches the registered claim type (can't swap one claim for another) canary_mode flag is consistent (dual-mode execution provenance intact)

If job_snapshot was stripped, the semantic check returns FAIL: job_snapshot missing — even if every SHA-256 is valid. This specific attack is an adversarial test in the public repo: tests/steward/test_cert02_pack_includes_evidence_and_semantic_verify.py

The deeper point — which I didn't explain in the original post: In physics and engineering domains, the semantic layer connects to something stronger than an internal threshold. Young's modulus for aluminium is ~70 GPa. That's not a value I chose — it's been measured independently in thousands of labs worldwide. When MTR-1 runs, it verifies the computation against that physical constant (rel_err ≤ 1%). The chain extends to FEM verification (DT-FEM-01, rel_err ≤ 2%) and drift monitoring (DRIFT-01). The difference: tamper-evident provenance answers "was the bundle modified?" — the physical anchor answers "does the number agree with physical reality?" These are different questions. Both matter, but the second is harder to fake because the ground truth is external to the system. This doesn't apply to ML accuracy or data pipelines — there the value is purely tamper-evident provenance, not physical grounding. The protocol is honest about that distinction in reports/known_faults.yaml.